{"id":205182,"date":"2026-04-23T12:19:00","date_gmt":"2026-04-23T16:19:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/23\/iran-nexus-threat-groups-refine-attacks-against-critical-infrastructure\/"},"modified":"2026-04-23T12:45:10","modified_gmt":"2026-04-23T16:45:10","slug":"iran-nexus-threat-groups-refine-attacks-against-critical-infrastructure","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/23\/iran-nexus-threat-groups-refine-attacks-against-critical-infrastructure\/","title":{"rendered":"Iran-nexus threat groups refine attacks against critical infrastructure"},"content":{"rendered":"

Iran-nexus threat groups refine attacks against critical infrastructure<\/a><\/p>\n

https:\/\/www.cybersecuritydive.com\/news\/iran-nexus-threat-groups-refine-attacks-against-critical-infrastructure\/818299\/<\/a><\/p>\n

Publish Date: 2026-04-23 12:19:00<\/a><\/p>\n

Source Domain: www.cybersecuritydive.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

Iran, long considered a steady and persistent cyber threat to the U.S., has raised its game in the months since the two nations went to war in February.\u00a0
\nIranian-backed cyber threat groups, which range from state-sponsored actors to pro-Iranian hacktivists and financially motivated hackers, appear to have evolved some of their motivations and capabilities in cyber, according to analysts and security researchers.\u00a0
\n\u201cWhat we are seeing are attacks that are aiming to have a more destructive effect,\u201d Annie Fixler, director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies told Cybersecurity Dive.\u00a0<\/p>\n

What we are seeing are attacks that are aiming to have a more destructive effect.<\/p>\n

Annie Fixler
\nDirector of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies<\/p>\n

Specifically, Iran-linked actors have increased the use of data wiping malware in recent attacks against Israel and demonstrated greater capability to evade detection, according to researchers at Palo Alto Networks.\u00a0<\/p>\n

In another alarming development, Darktrace last week published an analysis of a malware strain called ZionSiphon, to potentially tamper with chlorine levels and pressure controls in Israeli water facilities. The malware was embedded with pro-Iran and Palestinian messaging for additional psychological impact.\u00a0
\nRecent military strikes by Iran may have combined exploitation of flaws in video cameras and kinetic military strikes, according to Check Point Research. The activity may indicate a higher level of coordination and could be used potentially against critical infrastructure, surveillance and other targeted threat activity, CCTI\u2019s Fixler noted.
\nMeanwhile, the bombing campaign by the U.S. and Israel exposed weaknesses in Iran\u2019s traditional military capabilities, such as its limited ability to control and defend its own airspace and directly challenge allied bombing campaigns. But the Iranians have used cyberattacks as a way to send messages to neighboring Gulf states, Israel, the U.S., and to its own political dissidents, for intimidation, espionage and destructive acts.<\/p>\n

Iran-nexus hackers target critical infrastructure<\/p>\n

February 28
\nU.S. and Israel launch coordinated bombing campaign against Iran.<\/p>\n

March 11
\nMedtech company Stryker hit by wiper attack.<\/p>\n

March 19
\nDOJ announces seizure of domains linked to Handala.<\/p>\n

April 7
\nFBI, CISA warn of Iran-nexus hackers targeting flaws at water, energy providers.<\/p>\n

Cyber threat warnings
\nIn March, cyber-threat-sharing groups across various critical infrastructure sectors issued a joint advisory warning about the heightened threat of cyberattacks from Iran-aligned actors.\u00a0
\n\u201cSince we released the report, we have indeed seen reports from the critical infrastructure community about Iranian-aligned activity,\u201d Scott Algeier, executive director of the Information Technology-ISAC, told Cybersecurity Dive.\u00a0<\/p>\n

The data-wiping cyberattack on medical device maker Stryker in March represented the most high-profile example of an Iran-linked attack, Algeier noted, but there have been reports of cyberattacks targeting critical sites as well. Iran-nexus actors are continuing to focus on programmable logic controllers used in OT environments, for instance, he said.\u00a0
\nNick Andersen, acting director at CISA, said at a Thursday hearing before the House Appropriations Subcommittee on Homeland Security that Iran-linked actors have stepped up activity against poorly configured critical infrastructure sites in the U.S., but have thus far been unable to make significant inroads.\u00a0
\nCISA and other agencies have warned for several years about hacktivist groups exploiting weak security controls at critical infrastructure sites.\u00a0
\nAnderson noted the U.S. has a \u201ctremendous amount\u201d of IT and OT being used to support critical infrastructure that is exposed to the public internet, unsecured and \u201cnot necessarily taking advantage of modern security practices\u201d like changing default passwords.
\n\u201cWhen we look at them [Iran] as a specific nation-state threat actor, they\u2019ve been very opportunistically focused where we see unsecured devices that are internet accessible,\u201d Andersen testified during the hearing. \u201cIt provides them with an opportunity to attempt to make connections to those devices.\u201d<\/p>\n

When we look at them [Iran] as a specific nation-state threat actor, they\u2019ve been very opportunistically focused where we see unsecured devices that are internet accessible.<\/p>\n

Nick Andersen
\nActing Director at CISA<\/p>\n

CISA and the FBI, meanwhile, led a joint advisory about the Iran-nexus threat activity on April 7, warning that malicious hackers were targeting Rockwell Automation\/Allen-Bradley devices at water utilities, energy facilities and other industrial sites.\u00a0
\nThe advisory, which was co-authored by the U.S. Department of Energy, the Environmental Protection Agency and other federal partners, warned that attackers tried to manipulate human machine interfaces and supervisory control and data acquisition displays.
\nWhile authorities have not provided details breaking down the specific pattern of attacks, researchers have been able to trace some of the activity to specific threat groups.
\nPalo Alto Networks Unit 42 linked a cluster of threat activity in late March to the same Rockwell Automation devices cited in the FBI advisory, according to an updated blog post\u00a0released Friday.\u00a0
\nA threat group tracked as CL-STA-1128 (also tracked as Cyber Av3ngers or Storm-0784) abused Rockwell Automation\u2019s Factory Talk software by installing it onto virtual private server infrastructure, according to Unit 42 researchers.\u00a0
\nAsymmetric cyber capabilities
\nIran in recent years has demonstrated the ability to leverage a network of state-sponsored and hacktivist operatives to sow fear, discord and operational disruption via cyber campaigns.\u00a0
\nU.S. authorities, including CISA, have tracked a group of advanced persistent threat actors since at least 2018 under the name MuddyWater, also known as Seedworm or Static Kitten. The group, operating under Iran\u2019s Ministry of Intelligence and Security (MOIS), has targeted rival governments, defense industries, telecommunications and energy providers through spear phishing, exploitation of known vulnerabilities and abuse of open source tools for conducting cyber espionage, stealing sensitive data and deploying ransomware. \u00a0<\/p>\n

In 2022, the U.S. Treasury sanctioned MOIS in connection with threat activity against the U.S. and other allies dating back to 2007. Treasury cited a July 2022 cyberattack against the Albanian government, where an Iran-linked group called HomeLand Justice gained access to a targeted computer network for 14 months before unleashing ransomware and disk-wiping malware.\u00a0
\nIran also has long used cyber to target critical infrastructure against Israel, its leading geopolitical rival. During the Gaza War starting in 2023, these attackers also targeted water utilities and other critical infrastructure in the U.S.\u00a0
\nDrinking water and wastewater treatment facilities in the U.S. also have been victims of Iran-linked cyberattacks, specifically in a campaign that exploited weaknesses in Unitronics PLCs. The U.S. has about 150,000 public water facilities and 16,000 wastewater treatment sites, most of which lack the manpower, funding or training to thwart such attacks.\u00a0
\nThe water sector has traditionally been a relatively easy target. A federal probe in 2024 found hundreds of U.S. water sites were either exposed to the internet or contained other configuration weaknesses. The report also found the Environmental Protection Agency lacked an incident reporting plan or documented procedures to coordinate with CISA.\u00a0
\nSecurity industry leaders say the current cyber threat to water and other utilities represents a clear escalation of capabilities by Iran-linked threat groups.\u00a0
\nJennifer Lyn Walker, director of infrastructure cyber defense at the Water Information Sharing & Analysis Center, said the prior activity linked to CyberAv3ngers was more of a \u201cnuisance threat\u201d that lacked sophistication. But the current threat activity represents an \u201cescalation to include intent to cause disruption with malicious actions,\u201d Walker told Cybersecurity Dive.\u00a0
\nDespite the recent threat activity, the EPA said drinking water remains secure.\u201cThe ability of water systems to deliver safe drinking water to communities has not been impacted,\u201d a spokesperson said.
\nThe feds have taken some action against Iranian threat actors: following the attacks on water systems and other critical sectors, the Treasury Department in 2024 issued sanctions against members of the Islamic Revolutionary Guard Corp., citing malicious activity against various critical sectors in the U.S. Among those attacks was an 2021 ransomware attack targeting Boston Children\u2019s Hospital that was disrupted by the FBI.
\nHackers gain persistence
\nThe cyberattack against Stryker demonstrated a capability that exceeds what was previously known about Iran-linked actors: the deployment of a destructive wiper that abused the company\u2019s Microsoft Intune environment and deleted data from thousands of mobile devices.\u00a0
\nCCTI\u2019s Fixler and other analysts say the attackers likely obtained credentials and established a foothold in Stryker long before the attack. However, the attack remains under investigation, so an official breakdown has not yet been released.\u00a0
\nHandala, the cyber threat group linked to the Stryker attack, now claims to have gained persistent access to Microsoft Entra, VMware vSphere and IBM FlashSystem environments across multiple targeted organizations, according to researchers at Flashpoint.\u00a0
\n\u201cThe screenshots that they shared in their channel indicate that these are part of several attack campaigns, though it is difficult to verify until we have confirmation from the victims,\u201d Ian Grey, VP of intelligence at Flashpoint, told Cybersecurity Dive.\u00a0
\nThose screenshots show the attackers\u2019 ability to generate Temporary Access Passes within Microsoft Entra, which allows the hackers to bypass multifactor authentication, according to Flashpoint.\u00a0
\nMicrosoft officials declined to comment. IBM and Broadcom officials were not immediately available for comment.
\nIn March, CISA urged security teams across the country to harden their endpoint security\u00a0following the Stryker attack.
\nDefending against Iran cyber threats
\nThere are several steps that security teams should take to mitigate against potential attacks from Iran-nexus threat actors. For one, internet-facing devices should be removed from open access, and multifactor authentication should be enabled, according researchers.\u00a0
\nSecurity teams should also create strong backup copies of PLCs, which include the logic and configurations for industrial equipment and systems.
\nIf controllers include a physical mode switch, it should be placed in the run position to prevent remote modification, according to the CISA and FBI advisory.\u00a0
\nTo protect against wiper attacks, security teams should eliminate standing privileges and also harden Entra ID administrator accounts, according to Palo Alto Networks researchers.\u00a0<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Iran-nexus threat groups refine attacks against critical infrastructure https:\/\/www.cybersecuritydive.com\/news\/iran-nexus-threat-groups-refine-attacks-against-critical-infrastructure\/818299\/ Publish Date: 2026-04-23 12:19:00 Source Domain:…<\/p>\n","protected":false},"author":1,"featured_media":205183,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/imgproxy.divecdn.com\/SsueGhea_8X0rnzCJyPrvyBa_1ae6oXUerZ52R3-3mI\/g:ce\/rs:fit:770:435\/Z3M6Ly9kaXZlc2l0ZS1zdG9yYWdlL2RpdmVpbWFnZS9HZXR0eUltYWdlcy0yMjY3MzY4MTk5LmpwZw==.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32,25,34],"class_list":["post-205182","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware","tag-phishing","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/205182"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=205182"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/205182\/revisions"}],"predecessor-version":[{"id":205184,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/205182\/revisions\/205184"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/205183"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=205182"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=205182"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=205182"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}